No, access rules are for all the reading rights. Allowing to create objects is a different setting. And in your case you should be allowed to create the object but only if it is of a specific type. You should model this in a custom microflow that does the check. You could do this in the event handlers after create.
Regards,
Ronald
Hi Stefan,
Ronald correctly points out that this is not possible without custom logic in a microflow. I am not familiar with the complete requirements for you, but would it work to create the Employee in a microflow and preset the EmployeeType to contractor. Then you could remove the dropdown to set the employeeType and user will not be able to change it.
-Andrej
Thanks Ronald and Andrej for your answers.
I eventually solved it by refactoring the EmployeeType attribute to an entity, with a Category enum on it to use for the Xpath security constraints.
While editing the Employee entity, users now only see the EmployeeTypes in the dropdown which they are allowed to use.
This even works better for our situation, since adminstrators can now create EmployeeTypes in the application.